eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

With over 40% of the world’s websites powered by WordPress, its vast ecosystem of plugins and themes offers flexibility and customization on a global scale. However, this popularity also makes it a prime target for cyberattacks. WordPress is introducing mandatory two-factor authentication (2FA) for all plugin and theme developers to tackle rising security threats, effective October 1, 2024.

This move supports the platform’s security by preventing unauthorized access to developer accounts and protecting millions of websites from potential supply-chain attacks​. WordPress’s new security policies aim to safeguard its users by ensuring that developer accounts, which can push code updates directly to websites, are protected with more than just a password.

Why WordPress Is Mandating 2FA

WordPress’s decision to enforce two-factor authentication for plugin and theme developers isn’t just a precaution — it’s a direct response to a growing wave of cyberattacks targeting the platform. In recent years, supply-chain attacks have become a serious concern, where compromised developer accounts are exploited to inject malicious code into trusted plugins or themes. These attacks can have devastating consequences, impacting thousands or even millions of websites by introducing backdoors, malware, or even cryptomining scripts​.

The root of the problem lies in password reuse and weak security practices. Many developers, like everyday users, may reuse passwords across multiple platforms.

  • Attackers can use the same credentials to access a developer’s WordPress account if one account is compromised through a data breach elsewhere.
  • It is particularly dangerous for accounts with “commit access,” meaning they can directly change the plugin or theme code, potentially pushing out malicious updates​.

For WordPress, the stakes are incredibly high. With 40% of the world’s websites relying on its platform, any vulnerability in the plugin or theme ecosystem can result in widespread damage. It’s especially problematic because many WordPress sites automatically roll out plugin updates, making it easy for compromised code to infiltrate numerous sites without any manual intervention by the site owners​.

Understanding Two-Factor Authentication

Two-factor authentication is a critical step in securing online accounts, and it’s now mandatory for all WordPress plugin and theme developers. So, what exactly is 2FA, and how does it enhance security?

2FA offers an extra layer of protection beyond your username and password. When developers log into their WordPress accounts, they must provide a second form of verification, usually a one-time code generated by an authenticator app or a hardware key. It ensures that even if someone obtains a developer’s password, they cannot access the account without secondary verification​.

This additional layer of security is crucial because passwords alone are often not enough. 

  • Attackers can obtain passwords through various methods like phishing or data breaches, but 2FA makes it exponentially more difficult to compromise an account.
  • A hacker would need to steal the developer’s password and gain access to their 2FA method, such as a smartphone or hardware key.

In short, it significantly raises the barrier, preventing unauthorized access​.

Additional Security Measures: SVN Passwords

In addition to two-factor authentication, WordPress is introducing another layer of developer protection through Subversion (SVN) passwords. These dedicated passwords will be required for committing changes to plugins and themes on the platform, ensuring that even if a main account is compromised, hackers cannot directly inject malicious code into the WordPress ecosystem​.

  • SVN passwords are separate from the primary WordPress login credentials, which means that even if someone gains unauthorized access to a developer’s account, they will not automatically have the ability to modify plugin or theme code. 
  • This separation of privileges reduces the potential damage that can occur during a breach. Essentially, SVN passwords create an additional checkpoint, making it harder for attackers to commit changes to WordPress plugins without proper authorization​.

This extra security measure not only protects the integrity of the code but also maintains the trust of website owners who rely on these plugins and themes​.

How Developers Can Prepare

With the October 1, 2024 deadline for two-factor authentication fast approaching, WordPress developers must take proactive steps to secure their accounts and ensure compliance with the platform’s new security measures. Here’s how developers can get prepared:

Enabling 2FA

WordPress has made it relatively simple for plugin and theme developers to enable 2FA. Developers can choose between using a password authenticator app or a hardware key.

Authenticator apps, like Google Authenticator or Authy, generate one-time use codes that are valid for a limited time. These codes and the developer’s password are required to log into their WordPress account. Alternatively, a hardware key, like YubiKey, can be used for a more secure two-factor authentication method​.

To enable 2FA, developers can follow these steps:

  1. Log into the WordPress account.
  2. Navigate to the account settings.
  3. Select the two-factor authentication option.
  4. Choose either an authenticator app or hardware key, and complete the setup as prompted​.

And here’s how developers can set up their SVN passwords:

  1. Go to the WordPress.org developer account settings.
  2. Go to security settings.
  3. Find the option to set up an SVN password.
  4. Create a strong, unique password specifically for SVN access.

Best Practices for Security

In addition to enabling 2FA and setting up SVN passwords, developers should adopt other security best practices to safeguard their accounts further:

  • Use strong passwords: Ensure that passwords are unique, long, and complex, and avoid reusing passwords across multiple platforms.
  • Regularly update software: Keep all software programs, including WordPress themes and plugins, up-to-date to patch any — and all — vulnerabilities.
  • Review admin access: Regularly audit who has access to the WordPress admin panel and ensure that permissions are only granted to those who absolutely need it​.

What This Means for Website Owners

While the new security measures directly impact WordPress developers, they also hold significant implications for website owners. The requirement for two-factor authentication and the introduction of SVN passwords should give website owners more confidence in the security of the plugins and themes they rely on. The chances of compromised plugins introducing vulnerabilities to a website are greatly reduced​with stricter security protocols.

Enhanced Trust and Security

For website owners, the new 2FA requirement means enhanced trust in the integrity of WordPress plugins and themes. Since plugins are integral to the functionality of many WordPress sites — whether for adding new features, improving SEO, or boosting security — it’s crucial that these tools are not compromised. Mandatory 2FA ensures that only verified developers can access and update the code, reducing the risk of unauthorized changes that could introduce malware or cause site break-ins​.

Minimizing Risks on Your End

Despite WordPress implementing these security upgrades, website owners must still take responsibility for their site security. Following best practices — such as regularly updating plugins and themes, using strong passwords, and implementing their own 2FA — remains critical. Website owners should also monitor their sites for unusual activity, as even with these enhanced measures, no system is entirely foolproof​.

Automatic Updates vs. Manual Vetting

Automatic updates are convenient for ensuring plugins and themes stay up to date, but they can also carry risks if not properly vetted. While WordPress’s new security policies minimize the chances of compromised updates being pushed through, website owners who manage mission-critical sites might still prefer manually reviewing updates before applying them. This extra layer of oversight can be a valuable part of an overall security strategy​.

Looking Ahead

While WordPress is taking important steps to secure its ecosystem, it’s still critical for both developers and website owners to stay vigilant and follow best practices for account and site security​.

As the cyberthreat landscape continues to evolve, WordPress’s proactive measures help ensure its platform remains secure and trustworthy for the long haul. Introducing 2FA is more than just a new requirement — it’s a crucial step toward fortifying the WordPress ecosystem against ever-evolving security threats​.

Combine password management solutions with network security practices to strengthen your security posture further.